Make this policy available to all donors, prospective donors, members, fund raising volunteers, BYCF Board Advisors, BYCF Board of Directors and Committee members.

Definition of Personal Information

BYCF adopts the definition of personal information as contained in the Ontario FIPPA as at June 22 2012, as detailed below: "personal information" means recorded information about an identifiable individual, including,

information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

any identifying number, symbol or other particular assigned to the individual,

the address, telephone number, fingerprints or blood type of the individual,

the personal opinions or views of the individual except where they relate to another individual,

correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

the views or opinions of another individual about the individual, and

the individual\\\'s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; ("renseignements personnels")

The Ontario FIPPA legislation is publicly available through the Service Ontario’s web site at the following link: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm

Compliance with FIPPA

BYCF, as a not for profit corporation without shares operating within Ontario, will follow the Ontario FIPPA legislation.

The Ontario FIPPA legislation is publicly available through the Service Ontario’s web site at the following link: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm

Identification of Personal Information Handled by BYCF

Donors

The name, marital status, age, contact information, correspondence and contribution value of all donors in any combination, is personal information.

All donors will have the option of remaining anonymous or providing BYCF with permission to disclose their names and contribution value as part of the Donors Recognition Program.

The name, marital status, age, contact information, correspondence and contribution value of all donors who wish to remain anonymous is personal information required to be kept private by BYCF in accordance with this Information Security and Privacy Policy.

The name and contribution value of all donors who have provided specific permission to allow their names and contribution value to be disclosed as part of the Donors Recognition Program is considered to be public information. Prospective Donors

The name, marital status, age, contact information, correspondence and prospective contribution value of all prospective donors in any combination, is personal information.

The name, marital status, age, contact information, correspondence and prospective contribution value of all prospective donors is personal information required to be kept private by BYC in accordance with this Information Security and Privacy Policy until or unless such prospective donors provide written permission for their names and prospective contribution value to be disclosed as part of the Donors Recognition Program.

Handling of Personal Information

Donors

The name, marital status, age, contact information, correspondence and contribution value of all donors will be retained in hard copy in the physical files of BYCF.

Until a donor provides written permission to disclose their name and contribution value, all donor personal information shall be treated as if it is anonymous and private.

All donors will have the option of remaining anonymous or providing BYCF with permission to disclose their names and contribution value as part of the Donors Recognition Program.

The names of all donors who wish to remain anonymous will be disclosed only to the select few BYCF representatives on a need to know basis.

The names of all donors who have given permission to disclose their names and contribution value will be included through the publically accessible BYCF Donors Recognition Program.

All anonymous contributions will be disclosed as “anonymous” through the publically accessible BYCF Donors Recognition Program.

Personal information of anonymous donors will only be entered into or maintained in electronic form on a secure computer and/or secure media.

Exception to this policy is when a donor chooses to use such electronic media to communicate with a BYCF representative. In such a case, the BYCF representative will inform the donor that the form of communication is not secure and the donor is accepting the responsibility and risk for the security and privacy of the form or communication. The following sentence must be included in any response to the donor's electronic media communication. “The form of electronic communication you have chosen to use may not be secure or private. You are accepting the responsibility and risk for the security and privacy of this form of electronic communication. BYCF does not accept any responsibility for breaches in security or privacy as a result of this mode of communication.”

Prospective Donors

The name, marital status, age, contact information, correspondence and prospective contribution value of prospective donors to be used for targeted fund raising campaigns will be retained in hard copy in the physical files of BYCF.

This information will be shared on a need to know basis with the Fund Raising Committee members and designated fund raising volunteers.

All prospective donor names will be treated as anonymous donors until such time as the prospective donor provides their written permission to have their name disclosed as a prospective or actual donor.

Personnel will not leave any prospective donor information unsecured.

Personal information of prospective donors will only be entered into or maintained in electronic form on a secure computer and/or secure media.

Exception to this policy is when a prospective donor chooses to use such electronic media to communicate with a BYCF representative. In such a case, the BYCF representative will inform the prospective donor that the form of communication is not secure and the prospective donor is accepting the responsibility and risk for the security and privacy of the form or communication. The following sentence must be included in any response to the prospective donor’s electronic media communication. ““The form of electronic communication you have chosen to use may not be secure or private. You are accepting the responsibility and risk for the security and privacy of this form of electronic communication. BYCF does not accept any responsibility for breaches in security or privacy as a result of this mode of communication.”

Records Management

Retention of personal information

Personal information of donors (including anonymous donors and prospective donors) will be retained for the periods defined by law.

Personal information will be handled as stated in Section 5 above. Destruction of personal information

Once personal information has passed the required retention period as stated in Section 5.1 above, such information will be destroyed securely by the appropriate means available at that time. Currently the appropriate means are shredding or burning of such personal information under the control of a designated BYCF representative.

The BYCF Secretary or his delegate will ensure such records are destroyed appropriately in a timely manner.

Personnel Security

Confidentiality Agreements

All Directors, Advisors, Fund Raising Committee members and fund raising volunteers are required to sign the BYCF Non Disclosure Agreement (NDA) prior to receiving information on donors or prospective donors.

The NDA must contain an explicit reference to the BYCF Information Security and Privacy Policy.

Training

All BYCF Board members and BYCF Board Advisors will be provided with a copy of the BYCF Information Security and Privacy Policy (or access to it via the BYCF web site.)

All BYCF Fund Raising Committee members and all fund raising volunteers will be provided with a copy of the BYCF Information Security and Privacy Policy (or access to it via the BYCF web site.)

Selection of Personnel

Board of Director members are voted in by the members of BYCF.

Advisors to the Board are chosen by the Board of Directors.

Fund Raising Committee members are chosen by the Chair of the Fund Raising Committee or his or her designate and approved by the Board of Directors

All fund raising volunteers will be chosen by the Fund Raising Committee.

Removal of Personnel from Role

Any Advisor, Fund Raising Committee member or fund raising volunteer who breaches the BYCF Information Security and Privacy Policy may be removed from their role at the discretion of the BYCF Board.

Physical Security

All hard copy records of anonymous donors that contain the private personal information of such donor’s names will be stored in a designated locked file cabinet in the head office of BYCF.

Access to these records will be tracked through the use of a hard copy access log.

All hard copy records of prospective donors, that contain the personal information of such donors, will be restricted on a need to know basis.

All hard copy records of prospective donors, that contain the personal information of such donors, will be handled in accordance with Section 4.2 above.

System Security

Personal information of donors (prospective, anonymous and named) will be only be entered into or maintained in electronic form on a secure computer and/or secure media.

Exception to this policy is when an donor chooses to use such electronic media to communicate with a BYCF representative. In such a case, the BYCF representative will inform the donor that the form of communication is not secure and donor is accepting the responsibility for the security /privacy of the form or communication. BYCF will provide a sentence to be included in response emails that states this policy (see section 5.1 and 5.2 above).

The secure computer and/or secure media will be encrypted and when not in use stored in a designated locked file cabinet in the head office of BYCF

Access to these records will be tracked through the use of a hard copy access log.

All electronic records of donors (prospective, anonymous and named), that contain the personal information of such donors, will be restricted on a need to know basis.

Information Security and Privacy Policy Access

The BYCF Information Security and Privacy Policy will be available on the publically accessible web site.

The BYCF Information Security and Privacy Policy will be available in hard copy accessible on site at the BYCF head office on request.

Incident Management

If an incident should occur that becomes known to any member of BYCF or advisor to BYCF then the incident should be reported to any BYCF Board Member.

As soon as an incident is reported, the BYCF Board Member should inform all BYCF Board Members that an incident has occurred.

The BYCF President or his delegate should then:

Obtain legal counsel advice on how to proceed;

Inform BYCF Board Members of legal counsel’s advice; and

Have the Board determine its course of action by resolution of the Board.

Information Security and Privacy Policy Reviews

An Information Security and Privacy Policy review will be completed annually by the Secretary of the Board or his/her designate.

The Secretary will report to the Board on his/her review findings and provide recommendations on policy changes as may be deemed required.

Changes to policy have to be approved by the Board.

Compliance

An Information Security and Privacy Policy Compliance review will be completed annually by the Treasurer of the Board or his/her designate.

The Treasurer will report to the Board on his/her review findings and provide recommendations on policy changes as required to remain complaint with relevant FIPPA legislation.

The access to the designated locked file cabinet in the head office of BYCF will be controlled by the Secretary of the Board or his/her designate.

The physical access control log will be maintained by the Secretary of the Board or his/her designate.

Access to the designated locked file cabinet will be witnessed by someone other than the Secretary of the Board or his/her designate.